Category Archives: Vol. 4 No. 1

Cybersecurity: National Leadership, Individual Responsibility | This issue contributes to the national debate on cyber-related issues by supplying some of the missing pieces of the discussion, focusing on the largest and most difficult sub-set: cybersecurity.

Cybersecurity Strategy: A Primer for Policy Makers and Those on the Front Line

The Internet seems to offer the promise of everything to everyone. For global and local business, it lowers costs while increasing innovation, invention, effectiveness, and efficiencies. For wealthy and poor economies alike, the Internet greatly expands markets for products and services. For peoples free and repressed, it provides an inlet and an outlet of expression. For large and small communities, whether living in urban centers or outlying regions, the Internet enables control over critical power, transportation, water, and sewerage systems.

Lest we forget, for sophisticated criminals, terrorists, warmongers, and spies, the Internet also offers the chance of a lifetime to cheat, steal, and strike from afar with little money, covered tracks, and enormous real world impact. While the ability to use the same technology for positive or destructive ends is neither new nor momentous, it is necessary to consider whether the rapid adoption of the Internet has provided so considerable an asymmetric advantage to our adversaries that it can change the course of American history. In this regard, when we consider the intent and capabilities of our enemies, we cannot underestimate them or, as the 9/11 Commission found in a different context, suffer from failures in imagination, policy, capabilities, or management.

Thus our future remains uncertain. Based on our increasing reliance on networks to drive our economy and support our health, welfare, communications, and security, certain questions loom large. For example, can our enemies control whether, how, and when our systems operate and our vital services get delivered? Are our personal and business records, corporate intellectual property, and state secrets routinely exposed or imperceptibly altered?1

Unfortunately, the answers to these questions not only remain unknown, they perhaps are unknowable. Therefore, it is difficult to provide our nation’s government leaders, corporate executives, shareholders, and citizens with reasonable assurance that our computer systems have not been…

History Repeats Itself: The 60-Day Cyberspace Policy Review in Context

On February 9, 2009, President Obama gave his National Security and Homeland Security Advisors 60 days to conduct a Cyberspace Policy Review.1 The stated purpose of this “60-Day Review” was to provide a comprehensive assessment of U.S. policies for cybersecurity.2 According to a White House press release, the review would “develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector.”3

The 60-Day Review was an ambitious project and, in the end, took more than 60 days to complete.4 When the final report was issued on May 29, 2009, it offered a careful assessment of the current situation and a broad vision of what the United States must accomplish to secure our digital future. This vision, however, was not fundamentally different from previous iterations of cybersecurity strategy that the U.S. government has issued over the past 12 years.

The 60-Day Review undoubtedly represents a critical step toward addressing the many challenges the United States faces in working to secure its public and private information systems. However, it is important to place this document in proper context and understand what it accomplishes and what business it leaves unfinished. Before much progress can be made in improving cybersecurity, there are some tough policy decisions that have to be made.

The 60-Day Review does not take on many of those decisions. Rather, it provides an accurate and troubling picture of what the country is up against. It offers a glimpse of the daunting but important tasks of trying to harmonize the cybersecurity programs within government, establishing an effective partnership with the private sector, and developing strong relationships with other nations to combat cyber crime. It recommends…

 

Offensive Cyber Operations and the Use of Force

Hostile actions against a computer system or network can take two forms.1 One form – a cyber attack – is destructive in nature. An example of such a hostile action is erasure by a computer virus resident on the hard disk of any infected computer. In this article, “cyber attack” refers to the use of deliberate actions and operations – perhaps over an extended period of time – to alter, disrupt, deceive, degrade, or destroy adversary computer systems or networks or the information and (or) programs resident in or transiting these systems or networks.2 Such effects on adversary systems and networks may also have indirect effects on entities coupled to or reliant on them. A cyber attack seeks to cause the adversary’s computer systems and networks to be unavailable or untrustworthy and therefore less useful to the adversary.

The second form – cyberexploitation – is nondestructive. An example is a computer virus that searches the hard disk of any infected computer and emails to the hostile party all files containing a credit card number. “Cyberexploitation” refers to the use of actions and operations – perhaps over an extended period of time – to obtain information that would otherwise be kept confidential and is resident on or transiting through an adversary’s computer systems or networks. Cyberexploitations are usually clandestine and conducted with the smallest possible intervention that still allows extraction of the information sought.3 They do not seek to disturb…